Posted
by
timothyon Monday July 11, 2011 @07:46PM
from the milo-minderbinder-comes-to-mind dept.

nonprofiteer writes "Banks plan to compete with Groupon and LivingSocial by targeting coupons and deals at credit card holders based on their shopping habits. They found a way to do it without violating financial privacy laws: 'They're "selling" shopping habits the same way Facebook "sells" personal data about its users: in-network. It's a clever privacy work-around. Just as Facebook allows advertisers to specifically target certain kinds of users based on their profile information (without actually providing that profile information to the advertisers), banks plan to allow advertisers to send deals and coupons to their customers based on what they've bought before. That way, no user data actually leaves the network — instead, deals just enter the network. Each time a customer cashes in on one of those deals, the bank gets a commission.'"

how much effort is it to recognize a quote as being from a specific show when the name of the show is in the quote? I've never seen a single full episode, but even I could tell that it had to come from that show.

So, I send a bank a deal aimed at consumers who (for example) bought alcohol and restrict the geography to an overwhelmingly Mormon neighborhood and get back a list of names. I cross reference those with church memberships. I now can target the backsliders.

But the bank didn't sell you the list of names. The only way to get a list of names is if someone from the community you are targeting actually clicks-through on your ad and places an order. I'm sure there are other existing ad networks that would allow you to do the same.

Trivial. The Mormon Police just have the bank send all of those people a bogus prize certificate for a free motor boat and then when they show up to get their boat, the Mormon Police arrest them and beat them to the full extent of the law.

The police have always had access to this kind of information, as has the tax man. That is the reason that rich people liked to keep money in numbered Swiss accounts, before they opened them up to scrutiny.

You don't get a list of names. You send the bank a deal aimed at customers who bought alcohol, and restrict it to a Mormon neighborhood, and the bank sends out your offer. You don't get to know who was sent these deals; the best you could do is know who took advantage of them.

Here's how it works: Say you use your Citi-issued debit card to buy a pair of shoes at Nordstrom, and then Citi sells that information to a series of retailers. As a result, you receive a coupon from Macy's for a 20% discount on shoes at its store. The coupon is delivered by Citi, however, not from Macy's.

And that coupon contains a unique code. When purchased, Macy's now has the name, address, and credit card of someone who bought at Nordstrom. Or, for the Mormon one, you give a coupon for 50% off Domino's pizza sent to alcohol purchasers in MormonTown and when those coupons are used, you then get the names and addresses. It adds a step, but it is a vector for "attack" for getting unrelated information from customers. It isn't delivered by the bank, but via the bank, and that apparently makes the leak le

Nope. Macy's never sees a coupon. There is absolutely no way for Macy's to ever know who got the offer, unless the offer is so good and the item is so bad that almost all purchases would be using the coupon. In the examples of the shoes, or the pizza, that's absurd. Even if Macy's was giving a -100% coupon, how could they weed those out from the normal shoe purchases? It would only potentially work on items that are so shitty that nobody (literally nobody) buys

Even if Macy's was giving a -100% coupon, how could they weed those out from the normal shoe purchases?

By having a unique code on the coupon "to prevent reuse" that will link that person with the parameters used to generate that coupon.

The privacy concern is not that a merchant could ever find anything out (they absolutely cannot) but that to allow for verification, the merchants would have to send more information to the bank than just the total bill.

I think you are quite confused. Try this. You send CitiBank $10 per person for them to pass along some coupons (all with unique codes) for one free medium pizza to everyone who shopped at a tobacco store. The code requires online purchase and includes free delivery (costing you another $10 per person). You then have a list of smokers in an area for $20 per person. Sell th

You bought those shoes in Nordstrom using your Citi debit card. Citi now know that information. What's more, they mine their database for all sorts of data that they then use to build up a profile of your shopping behaviour.

However, they do not share that information. What they do is quite coyly tell all merchants, "I have some customer info here... are you interested?"

Yes and all they know is that you're in a demographic. You bought shoes that aren't work boots... you probably buy shoes. Macy's usually sends out a catalog including that stuff to anyone who purchases from them anyway, and they'll... send one to you. Why would they do anything different? Doing all that work based on demographics is a pain, mainly due to having to print other shit; blasting the full catalog at anyone in their sights works better. Special offers? Weekend sale, you come this weekend or

Look, you think it works one way. I think it works another. In my opinion, the merchant never sees a coupon, because the bank issues the rebate offer, and the bank honors the rebate offer. Now, I think my opinion is a bit more valid because I READ THE FUCKING ARTICLE and YOU ARE PULLING SHIT OUT OF YOUR ASS. But that's just me. Maybe the article is full of lies, and you know the honest truth. We'll see, I suppose?

At what point does a specific code link to a specific user, the only person who knows that is Citibank?

When they use the code to buy something, and thus are identified. A good ploy to require this is to force online purchases so nobody can pay in person with cash and get the deal with their unique code. Or, depending on the rules, have Citibank just distribute an image in their spam that leaks the information to 3rd parties directly when someone clicks on it. After all, if 3rd party leaks are allowed (necessary for the scheme this article is about), then this is exactly the same thing with just a little o

How did all you idiots get the fool idea that Macy's is going to have a [Non-Identified User]:[Specific Coupon Code] mapping? The bank goes, "We sent out offers. People clicked. We need 50 coupons." End of story. Macy's knows they sent out 50 coupons this time for these offers in this pool (maybe the bank doesn't tell them that, but they can still jockey the offers to differentiate the pools). They know the people showing up to claim are CitiBank customers. They know where they live because, well, yo

Your bank only knows that you spent money at Nordstrom. It doesn't have an item level transaction history, so it cannot know that you bought shoes unless it has access to Nordstrom's transaction logs. Therefore, for this to really fly, the retailer has to share their t-logs with the bank. So the banks aggregate t-log data from a number of retailers, and then resell that information back to the retailers.

Some merchant API's allow you to detail exactly what was purchased in the transaction, I haven't come across any payment gateways that make these parts of the payload compulsory (yet), but they definitely seem to be available for use. If the bank offered a bit of an incentive to include this information (lower fees) I can well imagine the bean counters would be entirely okay with selling customer souls to make a bit more money.

So, I start a coupon publication like RedPlum. I design the coupons, and do everything for the local business. I then make different coupon circulars, based on people who shop at package stores, people who spend money at Hooters, drink at bars, shop at pharmacies, toy stores, dollar stores, high end stores, conferences, and people who pay for newspaper or magazine subscriptions. In fact, I can also throw a contest code in each circular as well. Whatever it is I want to target, with a large enough market, I

That's very good. Now every Nigerian spammer knows that if they send fake emails from Citi about fake Macy's coupons (which are really phishing attempts) to everybody, then
Citi's customers will read the email and think "hmm, this email is a bit dodgy, but Citi usually sends me good deals, so I'll do what this one says anyway".

You don't even know that. You never see a coupon. You cannot know who took advantage of them. The coupons are not at-the-till discounts, they are rebates, and those rebates are processed by the banks. The only way you could know who took advantage of the deal is if all purchasers were taking advantage of the deal, which you could verify by comparing the total sales with the total bill from the marketing company issuing the rebate coupons.

So, I send a bank a deal aimed at consumers who (for example) bought alcohol and restrict the geography to an overwhelmingly Mormon neighborhood and get back a list of names. I cross reference those with church memberships. I now can target the backsliders.
I have somehow magically not violated anyones privacy.

... What does mormonism and alcohol have to do with each other? Sure, the mormon faith says you can't drink. So does the muslim faith, and catholics aren't supposed to use contraception. How many muslims do you know that drink, and catholics that take the pill?

Exactly. Now grow up and stop viewing the world in black and white. That's just immature and not how things actually are.

Mormons operate much more like a cult than most major religions. There are significant consequences to not behaving the way the church wants you to behave.

Most of that is based on extensive social pressure. The Mormon church tries very hard to narrow your social existence down to just other mormons. They have special fellowship groups for mormon singles to make sure you're meeting and marrying other mormons. They have their own TV channel with programming they expect you to watch - and if you don't watc

The Mormon church tries very hard to narrow your social existence down to just other mormons. They have special fellowship groups for mormon singles to make sure you're meeting and marrying other mormons. They have their own TV channel with programming they expect you to watch - and if you don't watch it, everyone at church will admonish you when they talk about what was on and you don't know what they're talking about. There is tremendous pressure to conform, and there is lots of programming that starts early. You know how women dream of the "perfect wedding"? Well, in the mormon church, they program you from a very early age to really want to be married at the mormon temple in Utah. Don't behave the way the church wants you to? No perfect wedding for you!

So, if you're a single woman and tell your catholic priest you're using birth control, he'll probably tell you the pope doesn't like it and suggest something else. If you tell your mormon church official that you're using birth control, they will require you to go to counseling about the evils of premarital sex and if you don't go, they will toss you from the church, which may very well result in all your friends and family refusing to continue to associate with you. And don't think that's limited to severe behaviors - I knew an (unmarried) couple pushed into intensive religious counseling because the church officials found out they were both laying horizontally on the same bed at the same time! (By, I believe, basically suggesting to the female half that she better be honest or god was going to smite her.)

Nice! You're definitely not right, but that's not why you're posting, is it?

It all really depends on the congregation. My Mormon friends tend to treat the fact that they do "bad things" much more seriously than friends of other faiths, and they've implied there are some pretty severe social consequences for it. In the mostly non-religious Pacific Northwest where I currently live, this is incredibly noticeable, because no other church does this.

However, I've also spent a little time in the Southern states (Mississippi and Georgia mostly) - and found a lot of "mainstream" christian

When you pay the bank, you don't get back a list of names at all. The bank would be sending out junk mail, SMS, or email based on your chosen demographics. It would be a 3rd party offer.

Most websites, companies, etc. allow you to specify that you don't want to receive it, but they also specify that affiliates and subsidiaries get access to to the data. The banks don't get that loophole in this case.

In your example, what you are really pointing out is that whatever percentage of customers click on the links, or even view the email with downloaded pictures, are revealing themselves and losing their privacy. In order for the bank to receive a commission it needs to admit that particular customer was indeed part of the chosen demographics.

It violates customer's privacy in spirit, in actuality the customer is mislead at best, and worst responsible for losing their own privacy through their own actions.

In other words, the customers are being tricked into confirming purchasing habits outside of the bank.

Very dirty and hopefully there will be an opt-out option for this voluntarily, or by law.

It's OK if banks violate customers in spirit as long as no laws are broken. It is almost impossible to keep making laws to prevent bad bank behavior. They have lots of people sitting in meetings trying to figure out ways to vacuum money from the public.

"Banks shall not share any customer data with outside entities, except in cases where the information shared and with whom was explicitly approved by the customer." But make that into a law, and it will be 300 pages long and allow sharing for everything possible and allow the practice of requiring waivers before opening accounts allowing them to share data with anyone else.

Yeah, the customers are being tricked into releasing their information. Yet, that is a completely different situation from their information being released by the bank. I'm not claiming it is moral, but there are two points to consider...

One is that you can simply not use the service, you'll receive spam but you can just ignore it. If it was so easy to protect our personal information at every situation, most of the people concerned would be quite glad.

If the bank sends spam to their customers, then the customer (or his spam filter...) learns to associate non-banking related communications with his bank. This in turn makes phishing easier, since the small clues that normally make the fake banking emails stand out are no longer that clear.

Banks should never send email to their customers, it should always be the other way around.

Can someone clarify how viewing the email with downloaded pictures necessarily identifies the customer?

Simple. Rewrite rules in Apache. You can use them to uniquely identify each picture in the email and associate it with a uniqueid or campaign. All that matters is when the browser makes a request that the data is fed back to the browser in a way it expects. I do it all the time. IIRC, they sometime are specific white space markers called "tracking pixels".

A coupon could have a non-unique barcode to keep track of how many customers the bank sent the merchant's way without the coupon being specific to the client. Same goes for links in email; isn't it more trouble to have every click-through associated uniquely with an email?

It will more than likely be email. It's cheapest to implement. As for as non-specific goes that is impossible here. I, Bob Smith made a purchase o

Err, as a former resident of Utah, you don't even need to do that... just go to any casino in Wendover, Nevada (it's only 90 minutes' drive from Salt Lake) and start writing down license plate numbers...

It's like the old running local joke:

* Jews do not recognize Jesus as the messiah.* Catholics do not recognize Martin Luther as an authority.* Protestants do not recognize the Vatican as a Christian authority.* Mormons do not recognize each other in Casinos, Strip Clubs, or Liquor Stores.

Somehow because the consumer chose to use the coupon, does that constitute agreement by the consumer to share this information with the retailer? Will a disclaimer to this fact be included with the coupon?

I would hope that to be legal, the coupon would have (in lettering the same size as the details of the coupon) a statement that "using this coupon will share information with the retailer that includes your shopping habits, account size, payment history, address, credit score, and any information we have about other accounts under your name or address." Short of that, this type of leak should be a felony landing the CEO in jail.

You, the hypothetical advertiser, never get your hands on the custom distribution list.

Send them a coupon for a free something, or for a free entry into a contest, and you'll get a sizable portion of the custom distribution list. Sure, you won't get 100%, but there are ways to get customer data from the bank now that weren't possible before.

I'm taking my daughter powerboating thanks to a good Groupon deal. We don't normally do that kind a thing, but a good deal caught my eye and it sounded a blast. There is no way could anyone have seen that coming from my purchase history. This isn't the first time Groupon has appealed to the random in me either, and from what I gather from talking to other people this isn't uncommon.

The problem with this, at least from the company's point of view, is that you're not terribly likely to go powerboating again. I mean, certainly there's the possibility that you fall in love with it, and go every week, but the company is likely losing a good deal of money on the initial 50% off. There are too many people who just follow the Groupon deals, rather than following the companies who put out one Groupon, in order to draw people in. The end result is that Groupon can be disastrous to the compani

Yep, I'll second AC here. It is up to the company to decide if they'll have profits for that sale or not, the GP didn't set the price. It can very well post some offers that just take away part of their profits, keeping them positive, as they can bet that a highter yeld due to the offer will make the reduced price lucrative. Or maybe it did hope that the GP would like so much that he would return, paying the full price. If it made the wrong bet, well, that happens a lot when betting.

I dunno. The "typical" groupon deal is for 50% off. And groupon's commission is like 50%, too. How many businesses are still in profit territory at 25% of the asking price?

Which brings to mind an interesting point: Groupon is not so well established that they couldn't be unseated by an organization that realizes that a web site can operate with pretty thin commissions, and they might sell even more coupons if they restrict any added-on ad-copy to things that are just funny, rather than funny and insul

About competition, there are plenty of groupon-like sites out there. It is just a matter of their clients discovering them. I don't know why they put up with that much just to anounce on groupon, but again, it's their decision.

It doesn't seem that you understand price discrimination very well. Often times the best way to maximize profits is to find a way to charge lots of people what they're each individually willing to pay instead of trying to maintain the same price for everyone. Even if none of your groupon customers become repeat customers, you still upped your revenue. And you may have upped your revenue by a lot more than the co

I agree with that. It's great for customers, not so great for businesses. And when I see the deals I often don't understand why they would participate.

I just bought a groupon for a fancy dinner for two, cost HK$338.00 instead of HK$1,036.00. So the restaurant gets only HK$169 for this dinner, which includes a bottle of wine. I can not imagine they can cover even the ingredients at this price, let alone staff and rent costs. It's been bought by 282 people so far, so the loss of potential revenue for the res

You are exactly the people that Groupon wants to reach. A business wants to appeal to a new customer with the deal, but not give away a super deal to existing customers. They want you to try a powerboat adventure, hoping you'll come back again at full price.

Isn't this like the game "go fish"?
Have any cat fanatics? 10!
Have any porn addicts? 10000!
And every response or query about more information, or even downloading of image-data for the ad, outs the users targeted by the bank on behalf of the banks spam-client.

If you can be accomplice to murder, you can sell private information by proxy too.

Unless the targeted users actually whip out a credit card, all you really get are a bunch of IP addresses, browser agent strings, maybe some cookies, and actual info from the few people dumb enough to fill out anything else you ask them to.

I place a certain value on my privacy. I had one of those "loyalty cards" years ago at the nearby grocery. I'd use it to get the cheaper price on the stuff they sold me. In return I got a bunch of junk in the mail trying to sell me more stuff. When I stopped using the card I got less junk in the mail.

I had a credit card. In exchange for using the credit card the credit card company sent me stuff in the mail trying to sell me more stuff. They would also call me at home. How far and wide this information on my buying habits went hit me when I used my credit card at a gas station I don't normally visit and a couple weeks later I got a credit card advertisement in the mail from the gas station. I pay for my fuel and groceries with cash now excepting rare occasions when I forget to stop by the bank before my wallet gets too thin, then I pull out my debit card.

Not only does using cash prevent banks from selling my buying habits it also avoids the threat of my bank account information from being stolen with those hidden card readers that are popping up on gas pumps and the like. I don't even like to use ATMs any more. Not only is there a threat of my card getting copied by a hidden card reader the ATMs spit out only $20 bills. With a tank of gas costing over $60 and a grocery cart filled with food typically costing around $100 I prefer to see a real live teller so I can get $50 and $100 bills, that way my wallet doesn't get so fat and I can still buy what I need.

Now, I just wish those vending machines would take $2 and $5 bills. With a bottle of soda costing around $1.50 it makes sense to me to take the larger bills. This is also because I've had to not buy a drink because my wallet is full of $5, $20, and $100 bills.

All the crap in the mail, and the phone calls interrupting my supper, stopped for the most part once I got rid of my credit cards. Not using a debit or credit card for most purchases does mean a few more trips to the bank and having to pay for gas inside the station but that is a minor inconvenience. The bank is within walking distance of my house, and I'll often go into the gas station anyway when I travel to get a snack or use the restroom. It keeps the junk mail and cold calls down.

I have to admit that I use my credit card for pretty much everything, they pay me a cash dividend, and as I always pay my balance in full on the due date, they never charge me a penny of interest or other fees. It's convenient, and it saves me money.

I have received a total of 2 phone calls from the credit card company since signing up for the card 10 years ago. The first was them trying to sell me on a "premium" card with yearly fees. I declined and asked to stop receiving such offers. I've never been calle

I must use a respectable bank (local Credit Union) because I never see any correlation between junk mail and the stuff I buy with my card, I don't get a whole lot of junk mail and cold calls on average once a month. I buy EVERYTHING with my card and get annoyed when stores don't accept cards and will actively avoid such stores where possible. I hate change as it usually gets put by the side until you either lose it or get it together and put it in one of those automated counters that spews out a gift certif

Same here. But the banks have fought back. Banks are not open anymore outside office hours, so I have the choice to either take a day off to get my money or to use an ATM. Where I live, you cannot even bring cash to a bank anymore. You read that right: banks don't accept cash. Banks' terms of service include sections on how you MUST cooperate into investigations about where your money is from. And our government made a bank account compulsory for the payment of salaries. You are very lucky to live in a plac

Ask your local post office if they have a form. If you're going to refuse bulk rate mail anyway, your letter carrier would rather toss it instead of carrying it twice (they dispose of refused bulk rate mail at the post office).

Marketer: What did blair1q buy last week?Bank: I would be breaking the law to tell you that.Marketer: Did blair1q buy a toilet brush last week?Bank: I would be breaking the law to tell you that.Marketer: If I were to send an email to blair1q asking him to buy my toilet brush, and cut you in if he does, would that be worth anything to you?Bank: No.Marketer: What if it was a turnip peeler?Bank: Put the coin in the slot, please.

Rubbing your pencil over the pad to mark it with lead and expose the un-marked indentations that were left by writing on the previous sheet is about 150 years old as an intelligence-gathering trick.

did this to me at the ATM today. I COULD NOT complete my ATM transaction without agreeing or denying a 2% cash back on my card if i went to a certain local italian chain (i refuse to give them more advertising). I went in and asked for a feedback form. No point in yelling at a teller for something that she has no control over. I will also be sending a formal typed and mailed letter of complaint to Chase headquarters.

I like that way of handling it. I pay no attention to the ads that come with any statements I get, not that I get many since paperless makes so much more sense. ATM ads are just annoying. Give me my cash without insisting I view a commercial - that's not why I put my money in a bank.

I also shop at a grocery store that doesn't have any of those obnoxious club cards. Funny thing, they just give everyone the discount and it works. They have better prices than the other stores around. Rare time that I want som

I also shop at a grocery store that doesn't have any of those obnoxious club cards. Funny thing, they just give everyone the discount and it works. They have better prices than the other stores around.

That's rare. My experience in New England has been that the chain without the loyalty cards (Market Basket) is the cheapest - even factoring in loyalty discounts and they've been kicking the asses of all the other chains that do push the loyalty cards (opening new stores while the others have been closing stores).

Same thing in the South where Publix has been kicking Winn-Dixie's ass for prices and customer satisfaction ratings (and profits).

I don't have those types of stores here (except Wal-Mart). But usually you can fill out all types of false information on those club cards, they'll give them to you regardless. You get the discounts and/or points but nothing in your mailbox.

I don't have those types of stores here (except Wal-Mart). But usually you can fill out all types of false information on those club cards, they'll give them to you regardless. You get the discounts and/or points but nothing in your mailbox.

Unless you pay with cash every single time using fake info on the loyalty card won't help you, they will record your real info from your checking/debit/credit card and cross-reference it for all past and future purchases. Even playing "musical loyalty cards" with a bunch of other people doesn't help too much unless you swap cards frequently.

But, those commercials are how they pay for the ATM. Otherwise, they'd have to charge you for transactions. You wouldn't want to have to pay the going rate for 1-2 milliseconds of cpu time and 10 s of power for a light-duty servo motor, would you?

I like that way of handling it. I pay no attention to the ads that come with any statements I get, not that I get many since paperless makes so much more sense. ATM ads are just annoying. Give me my cash without insisting I view a commercial - that's not why I put my money in a bank.

I also shop at a grocery store that doesn't have any of those obnoxious club cards. Funny thing, they just give everyone the discount and it works. They have better prices than the other stores around. Rare time that I want something from a store with a club card, I mess with their data and use my sister's number, my inlaws' number, whichever I have for that location.

Some grocery stores do not give the discount. I just read a suggestion that you tell them you have a card listed under the number 867-5309. If you live in a large enough area, someone probably has that listed as their number.

With technology trying to progress to 'moneyless payments', this'll throw it back a few years.

I'm sure lots of people won't want to get bothered with advertisments for using their bank card to pay for something. Instead they'll just draw the money and pay with cash. I know I would do that. This'll move the whole aim at using mobile payments or whatever back quite a bit.

So far, what has enabled nice things like adblock to work is that advertisers don't trust the people who host their ads. But in the case of facebook and apparently the banks now, advertisers are more willing to trust leaving people fewer options if they want to stop being a marketing target.

I found a vendor online who seems to consistently manage to allow my credit card data - including my name, mailing address, and CVV number - to be compromised virtually every time I buy something from them. All kinds of worthless shit has been purchased in my name as a result, and my check card has been replaced no less than 3 times as a result.

To top it off some of the shit gets sent to me. Anyone want "Chinese" weight-loss green tea? Yeah, me neither. Although that wasn't as much of a pain in the as

It took three purchases from that online vendor before I was sure that the compromise was always coming as a result of shopping with them. The first time, there was a delay between ordering from them and the result of my card being compromised; hence it was hard to tell exactly how my card was compromised. The second time was such a very different collection of purchases made on my compromised card that it didn't seem at the time to be related to the previous time of having my card compromised. The third

I think there is no data being sold. As the article itself points out, no data leaves the network, only ads go IN. I do see one bit of data has to leave the network: the user must have a cookie set or something that identifies that they are responding to the ad. The advertiser then connects the ad to your data -- but you are the one that gives your personal data. I just don't see a privacy breach here.

1. This is horrible, and I'm thinking that the term "going postal" will be replaced by "going bank" after people get pissed off about this.

2. Groupon is the most worthless piece of crap because of which I've ever been forced by my wife to do things. Deals are only marginally better than deals already available at the locations that you can't use if you're paying with a Groupon ($50 groupon for $25, and half off deals all over the menu on a regular basis that are only for normal people without the damn group

I fail to see any issue with this. The bank that owns my credit card has a list of the transactions I've made on it. And they are now going to send me spam targeting me based on those transactions. The bank has always had the information. The bank still has it. There is no privacy issue here.

Let's say I want to know who in your town has purchased pornographic videos. I go to the bank with a "buy one get one free" deal for my pizza parlor and have them send it to everyone who's purchased one or more porn vi